Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e0c806dfdadaa27…

MALICIOUS

PDF

74.0 KB Created: 2021-04-24 13:40:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1a2678c52f50f5b6ee2f750db86acaa0 SHA-1: 6842aab8922a4c0ded5cf63a452f4aa78f4eb1d6 SHA-256: 2e0c806dfdadaa273e92815df79716d30b61c4214a7bf45be42808cfd729c9db
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ML classifiers and ClamAV, with a high risk score. It contains an embedded URL pointing to 'dafemum.ru', which is likely part of a phishing or malware distribution scheme. The document body, though heavily obfuscated, suggests a lure related to 'Reality Transurfing' to entice users to click the malicious link.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dafemum.ru/strik?utm_term=reality+transurfing+pdf
    • http://frut-tree.site/77044353756ietj7.pdf
    • http://gojewemiwegu.iblogger.org/canard_pc_hardware_34.pdf
    • https://cdn.sqhk.co/sisuriwul/iiieRib/bopufojikikitaxa.pdf
    • http://wordsidepost.top/how_to_repair_automatic_soap_dispenserz15ec.pdf
    • https://cdn.sqhk.co/remavaveso/ghDGhgR/13947030652.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/9e05792d-2026-4ec0-8fb5-a224db6b7be5/gajikoxalokeruw.pdf
    • http://kekosasokab.epizy.com/nalutelegowit.pdf
    • https://41d9b059-0b17-466b-96e6-f31a3f3e9b19.filesusr.com/ugd/f1ead9_7759a8909c5b4740a6551f7c3b383483.pdf?index=true
    • http://volegurez.rf.gd/is_arris_a_good_modem_and_router.pdf
    • http://xafonabikox.rf.gd/jupivovunefawadazo.pdf
    • https://uploads.strikinglycdn.com/files/e9e3771c-22a5-47dd-840b-f15a61f0a908/are_stoeger_condor_shotguns_any_good.pdf
    • https://dc6b22d1-fd3c-476a-b8f1-b0505981f591.filesusr.com/ugd/ab5adf_b7f81b6c338d4f638d3bc14d1e3b9c6d.pdf?index=true
    • https://ba428ff1-d53d-4eb5-bdb2-cc960067f420.filesusr.com/ugd/7041e4_77b25e22c3f4417da873b2aecfdcc674.pdf?index=true
    • https://6b52f5a6-db44-4d3e-8337-ab33c729cb13.filesusr.com/ugd/f4de5e_b7fd95de6872400982056262802ee29a.pdf?index=true
    • http://zopefunexot.epizy.com/35345502812.pdf
    • https://uploads.strikinglycdn.com/files/b2bba5ad-9bad-414e-b747-d0959c9daab6/rikuwitodojuro.pdf
    • https://8d67285a-e3c5-4820-bb1a-bb91ce1079a6.filesusr.com/ugd/d54300_1e82b8152f754881aa37052c2491a198.pdf?index=true
    • https://de99c131-68bf-4271-bcef-cda292486844.filesusr.com/ugd/f5892c_de79c998a1214b63a8a66ba3297a0588.pdf?index=true
    • https://43a98339-0465-49d0-a416-8cef4780896f.filesusr.com/ugd/89258f_c6f9386a1c564aa6a8f3e710bcd5cd27.pdf?index=true
    • https://uploads.strikinglycdn.com/files/3d0d16e3-5c39-4183-a8d0-a9e18135b661/what_is_your_zodiac_sign_if_your_birthday_is_on_october_31.pdf
    • https://uploads.strikinglycdn.com/files/99395c4c-ee06-4659-bd72-6042f5535cf3/22651360117.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2f9.bin
f53caffef8db679c7418877d4dfc20376742d1f04e6637309febad44ea24903b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2F9 5316 bytes
font_01_sfnt_off0000f532.bin
77ea16da806dd213fed7b7f85b707c710e8bbe83d762bbd5281c1575ddebb9a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF532 11084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.